Dsolve Verification via Liquid Type Inference Ming Kawaguchi, Patrick Rondon , Ranjit Jhala
-
Upload
shoshana-herrera -
Category
Documents
-
view
22 -
download
0
description
Transcript of Dsolve Verification via Liquid Type Inference Ming Kawaguchi, Patrick Rondon , Ranjit Jhala
DsolveVerification via Liquid Type Inference
Ming Kawaguchi, Patrick Rondon, Ranjit JhalaUC San Diego
Verification andData Structures
int kmp_search(char str[], char pat[]){ p = 0; s = 0; while (p<pat.length && s<str.length){ if (str[s] == pat[p]){s++; p++;} else if (p == 0){s++;} else{p = table[p-1] + 1;} } if (p >= plen) {return (s-plen)}; return (-1);}
Need Universally Quantified Invariants
8i: 0≤i<table.length )-1 ≤ table[i] Every element of table exceeds -1Prove Access Within Array Bounds
Logic
Types
Precise data invariants
Generalization, instantiation hard
Coarse data structure invariants
Generalization, instantiation easy
Good SMT solvers available
Refinement TypesFactor Invariant Into Logic x Type
8i: 0 ≤ i<table.length )-1 ≤ table[i] Logic Type
table :: {v:int|-1 ≤ v} arraytable :: {v:int|-1 ≤ v} array
(Refinement)
table :: {v:int|-1 ≤ v} array
Atoms
Liquid Types
Set of quantifier-free predicates
-1 ≤
v0 < v v <
20
Refinements are conjunctions of atoms
index :: {v:int|-1 ≤ v ∧ v <
20}
Liquid Type Inferenceprogram
ML Type Inference int ! int
int ! {v:int|X}
x>0 ⊢ {v:int|v=x} <:{v:int|X}
int ! {v:int|0 ≤ v}
x>0 ∧ v=x ) X
Liquid Type Templates
Subtyping
Implication Constraints
Liquid Types
let rec ffor l u f =
if l < u then ( f l; ffor (l+1) u f )
Type of f
int ! unitTemplate of f
{v:int|X}!unit
Liquid Type of f
{v:int|l≤v ∧ v<u} ! unit
l Flows Into Input of f {v:int|v=l} <: {v:int|X}
l<u ⊢
l<u ∧ v=l ) X
Solution X = l≤v ∧ v<u
Reduces to
mapreduce (nearest dist ctra) (centroid plus) xs
|> List.iter (fun (i,(x,sz)) -> ctra.(i)<- div x
sz) Type of mapreduce(’a !’b * ’c list) !...! ’b * ’c list
Template of mapreduce(’a ! {X1} * ’a * {X2} list)!...! {X1} * ’a * {X2} list
Type Instantiation ’a with ’a ’b with int
’c with ’a * int
Template Instantiation ’a with ’a
’b with {v:int|X1}
’c with ’a * {v:int|X2}
Liquid Type of (nearest dist ctra)’a ! {0≤ v<len ctra} * ’a * {0<v} list’a ! {0≤ v<len ctra} * ’a * {0<v} list
<:’a ! {X1} * ’a * {X2} list
Solution X1 = 0≤v<len ctra X2 = 0<v
Reduces To0≤v <len ctra ) X1
0<v ) X2
Liquid Type of mapreduce Output {0≤ v<len ctra} * ’a * {0 < v} list
Finite Maps5: ‘cat’
3: ‘cow’ 8: ‘tic’
1: ‘doc’ 4: ‘hog’ 7: ‘ant’ 9: ‘emu’From OCaml Standard Library
Implemented as AVL TreesRotate/Rebalance on Insert/Delete
Verified InvariantsBinary Search Ordered
Height BalancedKeys Implement Set
Binary Decision DiagramsX1
X2 X2
X3
X4 X4
1
X1ÛX2 Ù X3ÛX4 Verified Invariant
Variables Ordered Along Each Path
Program Verified InvariantsList-Based Sorting Sorted, Outputs Permutation of Input
Finite Map (AVL) Balance, BST, Implements a SetRed-Black Trees Balance, BST, Color
Stablesort SortedExtensible Vectors Balance, Bounds Checking, …
Binary Heaps Heap, Returns Min, Implements SetSplay Heaps BST, Returns Min, Implements Set
Malloc Used and Free Lists Are AccurateBDDs Variable Order
Union Find AcyclicityBitvector Unification Acyclicity
Dsolve
1. Liquid Type Inference2. Results3. Demo
http://pho.ucsd.edu/liquid/demo/